Re: Regarding Private key

[Aarón Mizrachi <unmanarc () gmail com>]

On Miércoles 17 Junio 2009 05:08:42 manmeet Singh escribió:
> Hi all,
> I am facing a very tedious probelm. I want to know what the various options
> and how secure are these options.
>
> I have a file that contains plaintext.I have to read that file and after
> first read , encrypt it(AES) and delete the plain text file and save the
> encryped file.On subsequent reboots, i have to read decrypted text.
>
> Now the question is How do i manage the AES key?
> Storing the AES key/IV in file is one option? (Isnt It same as storing the
> plain key assuming i dont have any secure storage) 
Indeed. If the key is stored on the file, anyone could use it to decrypt the 
file.

> Hard code  the AES
> Key/IV values  in the code?
"Reverse engineer" against code could show you the key or a mechanism to 
decode it. Its more complex that getting the password from the file, but... is 
also not secure.

> What other options are possible. ?
You have three options. 

1. Introduce the key manually when your program starts... or...  2. use an 
external device to store the key. You should protect this external device and 
remove it when you are not using it... 

But...

There is no answers that could keep your file "automatically encrypted" without 
the possibility to be reversed. This is the same problem that faced some 
gamming companies on their consoles. You can obfuscate enough your code, pass 
antidebuggers, and more. It will only be a wall for non-skilled people. And 
its matter of time.

--------------

(3) The third option is: Use a server to store the key. Also, you could use 
SSL with preshared certificates to avoid man in the middle attacks and false 
connections. 

The only problem is that your program could be cracked and the certificate 
could be changed. Then MITM attack could be possible and the key could be 
stoled, and the file decrypted.

This is only obfuscation. 

> Warm Regards,
> Manmeet Singh
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means
> you pass the exam. Gain a laser like insight into what is covered on the
> exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.